Epic hits out at Google over handling of Fortnite Android exploit

Epic Games CEO Tim Sweeney has branded Google as “irresponsible”, accusing the tech giant of staging a “counter-PR” campaign against his company over the release of Fortnite on Android devices.

Sweeney believes that Google has taken issue with Epic’s decision not to use the Google Play Store to release its popular battle royale title on Android. Google is typically the go-to platform for Android released. However, Epic decided to release the game directly via its official website.

This, Google previously warned, was a bad decision. The search giant claimed that by avoiding publishing its title via Google Play, Epic was putting the security of its users at risk.

A security audit conducted by Google following launch revealed that this was the case. The search giant found that the Fortnite APK was susceptible to a ‘Man-in-the-Disk’ (MiTD) exploit, where a hacker could potentially trick users into installing a completely different app to what they believe they are downloading.

Epic rolled out a patch for the exploit within 24 hours. However, the company asked Google to keep details of the exploit secret, likely in an attempt to stop hackers from searching for similar exploits.

Google’s policies state that discovered bugs are subject to a 90-day disclosure deadline, which essentially means that Google will release details 90 days after the exploit is discovered. However, the tech company chose to release details of the Fortnite Android exploit after just one week — a move that Sweeney believes put Fortnite users at risk.

Epic vs Google: Two sides, but the same loser both times

“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.“However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.”

Of course, this is Epic’s own doing. By avoiding publishing Fortnite on the Play Store, users are forced to disable certain security features on their devices in order to successfully install the title.

And yet, it is easy to see why Epic has taken issue with Google’s speedy disclosure of the issue, which didn’t provide a suitable length of time for many users to update the app, which put their devices at risk.

“An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused,” Sweeney said.

“Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”

Whether Google thought that it was doing the right thing, simply adhering to policy, or attempting to score points after being shunned by Epic Games, Fortnite’s users are the real losers.